33 lines
1.2 KiB
Plaintext
33 lines
1.2 KiB
Plaintext
git clone git@github.com:comex/datautils0.git
|
|
cd datautils0
|
|
git clone git@github.com:comex/data.git
|
|
make NATIVE=1
|
|
./make_kernel_patchfile /path/to/kernelcache /tmp/patchfile
|
|
./apply_patchfile /path/to/kernelcache /tmp/patchfile /output/patched/kernelcache
|
|
|
|
Patchfile format:
|
|
|
|
field length
|
|
--------------------
|
|
namelen 4
|
|
name namelen
|
|
addr 4
|
|
datalen 4
|
|
data datalen
|
|
|
|
- If you're patching the kernel after it has already booted, you can (but need not) skip patches with names starting with "-".
|
|
|
|
- apply_patchfile patches the kernel to start /sbin/lunchd instead of launchd. You can remove that, but the idea is that the filesystem looks like this:
|
|
|
|
/sbin/launchd: untether exploit that execs /sbin/lunchd
|
|
/sbin/lunchd: a script that execs /sbin/launchd.real with DYLD_INSERT_LIBRARIES set to the dylibs in /Library/LaunchExtensions; this may be used in the future by MobileSubstrate
|
|
/sbin/launchd.real: the original /sbin/launchd
|
|
|
|
This is the lunchd script:
|
|
|
|
#!/bin/bash
|
|
shopt -s nullglob
|
|
dylibs=$(for dylib in /Library/LaunchExtensions/*.dylib; do echo -n "$dylib:"; done)
|
|
export DYLD_INSERT_LIBRARIES=${dylibs%:}
|
|
exec -a /sbin/launchd /sbin/launchd.real
|